I’m just after the weekend spent on fighting with Win32.Sality and yes, Comodo Antivirus (the most recent version with the most recent virus DB) doesn’t seem to deal well with this severe virus. Although it reports some unknown malware when executing the infected file, it’ doesn’t seem to stop the virus from it’s activity just after running the infected EXE. The virus, besides infecting other files, running NETSH, etc. messes up the Comodo software.
I’ve got several infected files, so I can send them to the COMODO developers. It’s quite surprising that such an old and quite dangerous virus is not recognized by one of the most popular free security software like COMODO…
well yes - that’s how I realised something wrong is happening - the D+ stared showing message ballons (not confirmation prompts!) that different applications (mainly those that I had set to autorun) were modifying other application or processes. Another indication was firewall that indicated outgoing and incomming connections from strange IP addresses to the applications that were being dynamically created in the temp directory.
Before I formatted the HD (got to the point where about 300 files were infected and some couldn ot be haled by AVK’s rmslt.exe) I managed to get regedit and processexplorer working and one thing I observed was that the infected applications were infecting cfp.exe also. After that Comodo was reporting problems and a need for repaie process.
Petit: yes, but non polymorfic viruses are piece of cake polymorfizm detection is the functionality you expect rfom the antivirus software…
Kyle: sure, but it’s apity the COMODO is in that only 10% that don’t… ;(
I’m gonna submit couple of infected files to COMODO, hope it will help the team improve that good product.
If anyone have some questions about that virus - do not hesitate to ask - let my hours spent on that yesterday may be helpfull for the others. Heres pretty good description of what was happening on my system, however it doesn’t mention about executing the NETSH.EXE: http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=52797
Thanks for sending these samples to Comodo AV labs, as indeed a family signature ought to be developed to address these vectors which were sighted in the wild before Comodo even started to develop its AV.
Please submit them to CIMA/CAMAS (along with a link as well).
BTW were you able to identify how you did get infected in the first place?
The modifications carried by startup applications ought to be a propagation step of an active infection whereas the original infection vector should have been an unknown app.
OK, I’ll submit the infected file. The infection started by running the infected application that came from one of my employees (and unfortunately Comodo AV didn’t warn me when I touched that file) - I’ve reproduced that on the test environment. The best way to see what’s happening is run the infected EXE having the ProcessExplorer (sysInternals) open and see what’s happening to the applications that were autostarted. The system infection begins when the virus displays the fake error message after running the infected EXE.
Thanks for the submission but please post a link to CIMA and visrustotal reports as well as it would be beneficial for the Leak Testing/Attacks/Vulnerability Research board.
Although the original vector should have been able to trigger alerts as well, it is indeed unfortunate that the AV didn’t get a signature for it and hopefully one will now be available soon enough.
It would be possible to increase the level of monitoring enabling Comodo - Proactive Security Configuration from the CIS tray icon menu (eg soon after installation) as I gather the default configuration that is provided when the AV is installed offload/disable some proactive protection by privileging detection of some types of threats whereas installing the firewall alone the proactive security would be selected by default.